IPFire 2.17 - Core Update 90 released

this is the official release announcement of IPFire 2.17 – Core Update 90. This one comes with some new features, many updates of software packages and various minor bug fixes.

GeoIP

Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure those publicly accessible services. With GeoIP-based firewall rules it is possible to filter incoming and outgoing traffic related on their source or desired destination countries. Here are some examples what can be done with such a GeoIP-filter:

Prevent malware on your local systems to communicate with their command and control (C&C) servers, which often are located in a certain countries.

Only allow remote administration from your own country.

Create firewall rules for limit new connection attempts for countries you usually don’t communicate that much with. This could help to prevent from getting your mail servers flooded with spam from those countries.

The GeoIP feature successfully has been funded on the IPFire wishlist.

A pretty easy way to block any incoming traffic of several countries, a new configuration page has been added to the IPFire web user interface. On there, you can block incoming traffic from countries. You may also define firewall rules where you can filter the originating country or destination country.

Cryptography updates

SSLv3 and SSLv2 are now disabled by default

We have been disabling all possibly broken algorithms in the services that IPFire itself is running and providing to the network. Now we are making the even bigger step to disable support for SSLv2 and SSLv3 for all SSL connections that are initiated by IPFire. Those two revisions of the SSL protocol are very old and practically not used any more. They are also considered as broken and should not be used any more.

Compatibility is still possible if the software you are using explicitly requests for those protocols.

Performance improvements

We focussed very much on increasing the performance of ciphers in this release. First of all we dropped support for cryptodev and replaced it with optimising the user-space libraries so that these can use CPU instructions when ever they are available for increasing throughput. The AES algorithm was in spotlight of those efforts as it is the most commonly used cipher. Others will benefit as well.

We updated the openssl package to version 1.0.2a and are shipping two versions of libcrypto.so.10, which is the library that holds the implementation of ciphers, hashes and those alike. The first shipped version is compiled as usual and is used on all systems by default. If there is SSE2 support available which is on more than 86% of all systems known to fireinfo, an other version of libcrypto.so.10 will be loaded which is compiled with various optimisations that require SSE and SSE2 instructions.

Hardware crypto processors like VIA Padlock and AES-NI are of course used automatically when available.

Removing legacy code

We used to ship an extra copy of openssl version 0.9.8 for compatibility reasons which is now removed with this update. The 0.9.8 branch of openssl will not be discontinued by the openssl developers soon and the libraries are not used any more. If you have a custom built program that is linked against these, you will have to recompile it.

IPsec/strongSwan

strongSwan has been updated to version 5.3.0. It provides much better stability of IPsec VPN connections.

Wolfgang Apolinarski sent in a patch that improves compatibility with the internal Windows IPsec client and another one that increases key sizes of the internal CA to 4096 bits for the root key and 2048 bits for each client certificate. The SHA-512 and SHA-256 hash algorithm is used respectively. Old certificates can not be converted for obvious reasons, but new certificates will be created and signed with the new properties.

IKE fragmentation is now enabled by default which helps peers that implement it to fragment IKE packets before they are sent over a path with potentially broken routers that do not forward fragments.

Ciphers Selection

We have improved the selection of ciphers on the IPFire web user interface where we added AES-GCM with various key and ICV sizes and we ordered the ciphers by their strength so that it is easier to select the strongest one possible.

Kernel Update

The kernel has been updated to version 3.14.43. It comes with various security fixes and bug fixes throughout the entire tree.

The synthetic Hyper-V drivers have been patched to work with legacy version of Microsoft Hyper-V (at least 2008). The igb driver module that is maintained by Intel has been replaced by the default kernel module.

Bug fixes and other changes

glibc: Fix CVE-2013-7423 and CVE-2015-1781

apache will not show its version and loaded modules any more in the server signature

Connections in the list of connections that are using Destination NAT are now coloured in the colour of the new destination host.

dnsmasq has been fixed so that it will correctly fall back to TCP for DNS replies larger than the DNS packet size.

udev: Network interface names are now assigned from the configuration in /var/ipfire/ethernet/settings instead of the setup tool generating a native udev configuration file.

ovpnmain.cgi: Some certificate authority (CA) related elements have been displayed outside the site layout.